From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 15:10:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8EB016A41F; Sun, 20 Nov 2005 15:10:53 +0000 (GMT) (envelope-from ozkan@mersin.edu.tr) Received: from mail.mersin.edu.tr (mail.mersin.edu.tr [193.255.128.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D2DE43D46; Sun, 20 Nov 2005 15:10:52 +0000 (GMT) (envelope-from ozkan@mersin.edu.tr) Received: from localhost (localhost.mersin.edu.tr [127.0.0.1]) by mail.mersin.edu.tr (Postfix) with ESMTP id 11A5345099; Sun, 20 Nov 2005 17:10:51 +0200 (EET) Received: from mail.mersin.edu.tr ([127.0.0.1]) by localhost (mail.mersin.edu.tr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86680-37; Sun, 20 Nov 2005 17:10:39 +0200 (EET) Received: from [10.0.50.20] (unknown [81.213.166.209]) by mail.mersin.edu.tr (Postfix) with ESMTP id 27155450A4; Sun, 20 Nov 2005 17:10:39 +0200 (EET) Message-ID: <438091EA.3040203@mersin.edu.tr> Date: Sun, 20 Nov 2005 17:10:34 +0200 From: =?ISO-8859-9?Q?=D6zkan_KIRIK?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050927) X-Accept-Language: tr-TR, tr, en-US, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mersin.edu.tr Cc: Subject: FreeBSD 6.0 - ipfw fwd with bridge mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 15:10:54 -0000 Hi, i am trying to forward packets via ipfw in bridge mode. is there any patch for 6.0-Release? thanks for your interests, From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 18:04:51 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5D2916A41F for ; Sun, 20 Nov 2005 18:04:51 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD4E43D45 for ; Sun, 20 Nov 2005 18:04:50 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp2-g19.free.fr (Postfix) with ESMTP id 406B052358; Sun, 20 Nov 2005 19:04:49 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jAKI4g9c038812; Sun, 20 Nov 2005 19:04:48 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Luigi Rizzo" Date: Sun, 20 Nov 2005 19:04:47 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <20050629093248.A44168@xorpc.icir.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: freebsd-ipfw@freebsd.org Subject: RE: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 18:04:51 -0000 It effectively works well, but I still have a problem: When I use my bandwidth (download a huge file) and I start a ping at the same time, latency grows from 15ms up to 300ms. Again my conf: > 00005 allow ip from any to any via lo0 > 00006 deny ip from any to 127.0.0.0/8 > 00007 deny ip from 127.0.0.0/8 to any > 00011 divert 8668 ip from any to any via ext > 21046 queue 8 ip from any to 172.20.1.23 in via ext > 21047 queue 9 ip from 172.20.1.23 to any in via int > 65535 allow ip from any to any Cheers Alex -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Luigi Rizzo Envoye : mercredi 29 juin 2005 18:33 A : Alexandre D. Cc : freebsd-ipfw@freebsd.org Objet : Re: strange dummynet WFQ problem hi, when a pipe or queue has a mask of all 0's it only shows the addresses of the first packet that matched, so you don't have to worry about that. Also, if queues are linked to the pipe, the accounting is done on the queues and not on the pipe. cheers luigi On Wed, Jun 29, 2005 at 06:27:48PM +0200, Alexandre D. wrote: > > Hi guys > > I have a strange problem. > > here is a simple sample my conf (hic!): > > # ipfw list > 00005 allow ip from any to any via lo0 > 00006 deny ip from any to 127.0.0.0/8 > 00007 deny ip from 127.0.0.0/8 to any > 00011 divert 8668 ip from any to any via ext > 21046 queue 8 ip from any to 172.20.1.23 > 21047 queue 9 ip from 172.20.1.23 to any > 65535 allow ip from any to any > > bash-2.05b# ipfw pipe list > 00001: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > ... > q00008: weight 4 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte > Drp > 0 udp dns address/53 172.20.1.195/3007 1032 254524 0 0 > 0 > q00009: weight 4 pipe 2 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte > Drp > 0 udp 172.20.1.195/68 255.255.255.255/67 589 53330 0 0 > 0 > > > The thing is that: > -it looks that datas are going through the corrects queues, > -each queue is correctly linked to a pipe > -there is not accounting on both pipes > -only dns packets are shown by this command. > > > My wonders are: > -How can I be sure that my queues are correctly linked to the pipes? > -Why don't I have accounting on the pipes? > -Why don't I get other than dns packet accounting? > > Sorry for the english > > Thanks for the answer > > Cheers > > Alex > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 18:10:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FA1F16A41F for ; Sun, 20 Nov 2005 18:10:03 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41A2F43D45 for ; Sun, 20 Nov 2005 18:10:03 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id jAKIA1Fd045856; Sun, 20 Nov 2005 10:10:01 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id jAKIA1Je045855; Sun, 20 Nov 2005 10:10:01 -0800 (PST) (envelope-from rizzo) Date: Sun, 20 Nov 2005 10:10:01 -0800 From: Luigi Rizzo To: Alexandre DELAY Message-ID: <20051120101001.A45777@xorpc.icir.org> References: <20050629093248.A44168@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from alexandre.delay@free.fr on Sun, Nov 20, 2005 at 07:04:47PM +0100 Cc: freebsd-ipfw@freebsd.org Subject: Re: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 18:10:03 -0000 On Sun, Nov 20, 2005 at 07:04:47PM +0100, Alexandre DELAY wrote: > It effectively works well, but I still have a problem: > > When I use my bandwidth (download a huge file) and I start a ping at the > same time, latency grows from 15ms up to 300ms. it is normal because the ping packets are queued behind the other traffic. luigi > Again my conf: > > > 00005 allow ip from any to any via lo0 > > 00006 deny ip from any to 127.0.0.0/8 > > 00007 deny ip from 127.0.0.0/8 to any > > 00011 divert 8668 ip from any to any via ext > > 21046 queue 8 ip from any to 172.20.1.23 in via ext > > 21047 queue 9 ip from 172.20.1.23 to any in via int > > 65535 allow ip from any to any > > > Cheers > > Alex > > > -----Message d'origine----- > De : owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Luigi Rizzo > Envoye : mercredi 29 juin 2005 18:33 > A : Alexandre D. > Cc : freebsd-ipfw@freebsd.org > Objet : Re: strange dummynet WFQ problem > > > hi, > when a pipe or queue has a mask of all 0's it only shows the addresses of > the first packet that matched, so you don't have to worry about that. > Also, if queues are linked to the pipe, the accounting is done on > the queues and not on the pipe. > > cheers > luigi > > On Wed, Jun 29, 2005 at 06:27:48PM +0200, Alexandre D. wrote: > > > > Hi guys > > > > I have a strange problem. > > > > here is a simple sample my conf (hic!): > > > > # ipfw list > > 00005 allow ip from any to any via lo0 > > 00006 deny ip from any to 127.0.0.0/8 > > 00007 deny ip from 127.0.0.0/8 to any > > 00011 divert 8668 ip from any to any via ext > > 21046 queue 8 ip from any to 172.20.1.23 > > 21047 queue 9 ip from 172.20.1.23 to any > > 65535 allow ip from any to any > > > > bash-2.05b# ipfw pipe list > > 00001: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > 00002: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > ... > > q00008: weight 4 pipe 1 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 udp dns address/53 172.20.1.195/3007 1032 254524 0 > 0 > > 0 > > q00009: weight 4 pipe 2 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 udp 172.20.1.195/68 255.255.255.255/67 589 53330 0 0 > > 0 > > > > > > The thing is that: > > -it looks that datas are going through the corrects queues, > > -each queue is correctly linked to a pipe > > -there is not accounting on both pipes > > -only dns packets are shown by this command. > > > > > > My wonders are: > > -How can I be sure that my queues are correctly linked to the pipes? > > -Why don't I have accounting on the pipes? > > -Why don't I get other than dns packet accounting? > > > > Sorry for the english > > > > Thanks for the answer > > > > Cheers > > > > Alex > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 18:16:38 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84CB116A41F for ; Sun, 20 Nov 2005 18:16:38 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id E213443D46 for ; Sun, 20 Nov 2005 18:16:37 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp6-g19.free.fr (Postfix) with ESMTP id AA85696C4; Sun, 20 Nov 2005 19:16:36 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jAKIGZ2b039061; Sun, 20 Nov 2005 19:16:36 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Luigi Rizzo" Date: Sun, 20 Nov 2005 19:16:40 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20051120101001.A45777@xorpc.icir.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: freebsd-ipfw@freebsd.org Subject: RE: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 18:16:38 -0000 Interresting. I didn't find anythong about that. Where can I learn more about this "priorities"? Alex -----Message d'origine----- De : Luigi Rizzo [mailto:rizzo@icir.org] Envoye : dimanche 20 novembre 2005 19:10 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: strange dummynet WFQ problem On Sun, Nov 20, 2005 at 07:04:47PM +0100, Alexandre DELAY wrote: > It effectively works well, but I still have a problem: > > When I use my bandwidth (download a huge file) and I start a ping at the > same time, latency grows from 15ms up to 300ms. it is normal because the ping packets are queued behind the other traffic. luigi > Again my conf: > > > 00005 allow ip from any to any via lo0 > > 00006 deny ip from any to 127.0.0.0/8 > > 00007 deny ip from 127.0.0.0/8 to any > > 00011 divert 8668 ip from any to any via ext > > 21046 queue 8 ip from any to 172.20.1.23 in via ext > > 21047 queue 9 ip from 172.20.1.23 to any in via int > > 65535 allow ip from any to any > > > Cheers > > Alex > > > -----Message d'origine----- > De : owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Luigi Rizzo > Envoye : mercredi 29 juin 2005 18:33 > A : Alexandre D. > Cc : freebsd-ipfw@freebsd.org > Objet : Re: strange dummynet WFQ problem > > > hi, > when a pipe or queue has a mask of all 0's it only shows the addresses of > the first packet that matched, so you don't have to worry about that. > Also, if queues are linked to the pipe, the accounting is done on > the queues and not on the pipe. > > cheers > luigi > > On Wed, Jun 29, 2005 at 06:27:48PM +0200, Alexandre D. wrote: > > > > Hi guys > > > > I have a strange problem. > > > > here is a simple sample my conf (hic!): > > > > # ipfw list > > 00005 allow ip from any to any via lo0 > > 00006 deny ip from any to 127.0.0.0/8 > > 00007 deny ip from 127.0.0.0/8 to any > > 00011 divert 8668 ip from any to any via ext > > 21046 queue 8 ip from any to 172.20.1.23 > > 21047 queue 9 ip from 172.20.1.23 to any > > 65535 allow ip from any to any > > > > bash-2.05b# ipfw pipe list > > 00001: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > 00002: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > ... > > q00008: weight 4 pipe 1 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 udp dns address/53 172.20.1.195/3007 1032 254524 0 > 0 > > 0 > > q00009: weight 4 pipe 2 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 udp 172.20.1.195/68 255.255.255.255/67 589 53330 0 0 > > 0 > > > > > > The thing is that: > > -it looks that datas are going through the corrects queues, > > -each queue is correctly linked to a pipe > > -there is not accounting on both pipes > > -only dns packets are shown by this command. > > > > > > My wonders are: > > -How can I be sure that my queues are correctly linked to the pipes? > > -Why don't I have accounting on the pipes? > > -Why don't I get other than dns packet accounting? > > > > Sorry for the english > > > > Thanks for the answer > > > > Cheers > > > > Alex > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 21:26:02 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A26F216A41F for ; Sun, 20 Nov 2005 21:26:02 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 551A543D45 for ; Sun, 20 Nov 2005 21:26:02 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id jAKLQ0SV047578; Sun, 20 Nov 2005 13:26:00 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id jAKLPve8047577; Sun, 20 Nov 2005 13:25:57 -0800 (PST) (envelope-from rizzo) Date: Sun, 20 Nov 2005 13:25:57 -0800 From: Luigi Rizzo To: Alexandre DELAY Message-ID: <20051120132556.A47536@xorpc.icir.org> References: <20051120101001.A45777@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from alexandre.delay@free.fr on Sun, Nov 20, 2005 at 07:16:40PM +0100 Cc: freebsd-ipfw@freebsd.org Subject: Re: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 21:26:02 -0000 On Sun, Nov 20, 2005 at 07:16:40PM +0100, Alexandre DELAY wrote: > Interresting. I didn't find anythong about that. > Where can I learn more about this "priorities"? well, dummynet does not du priorities but weights. lookup google for "WFQ" or read the ipfw manpage. cheers luigi > Alex > > > -----Message d'origine----- > De : Luigi Rizzo [mailto:rizzo@icir.org] > Envoye : dimanche 20 novembre 2005 19:10 > A : Alexandre DELAY > Cc : freebsd-ipfw@freebsd.org > Objet : Re: strange dummynet WFQ problem > > > On Sun, Nov 20, 2005 at 07:04:47PM +0100, Alexandre DELAY wrote: > > It effectively works well, but I still have a problem: > > > > When I use my bandwidth (download a huge file) and I start a ping at the > > same time, latency grows from 15ms up to 300ms. > > it is normal because the ping packets are queued behind > the other traffic. > > luigi > > > Again my conf: > > > > > 00005 allow ip from any to any via lo0 > > > 00006 deny ip from any to 127.0.0.0/8 > > > 00007 deny ip from 127.0.0.0/8 to any > > > 00011 divert 8668 ip from any to any via ext > > > 21046 queue 8 ip from any to 172.20.1.23 in via ext > > > 21047 queue 9 ip from 172.20.1.23 to any in via int > > > 65535 allow ip from any to any > > > > > > Cheers > > > > Alex > > > > > > -----Message d'origine----- > > De : owner-freebsd-ipfw@freebsd.org > > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Luigi Rizzo > > Envoye : mercredi 29 juin 2005 18:33 > > A : Alexandre D. > > Cc : freebsd-ipfw@freebsd.org > > Objet : Re: strange dummynet WFQ problem > > > > > > hi, > > when a pipe or queue has a mask of all 0's it only shows the addresses of > > the first packet that matched, so you don't have to worry about that. > > Also, if queues are linked to the pipe, the accounting is done on > > the queues and not on the pipe. > > > > cheers > > luigi > > > > On Wed, Jun 29, 2005 at 06:27:48PM +0200, Alexandre D. wrote: > > > > > > Hi guys > > > > > > I have a strange problem. > > > > > > here is a simple sample my conf (hic!): > > > > > > # ipfw list > > > 00005 allow ip from any to any via lo0 > > > 00006 deny ip from any to 127.0.0.0/8 > > > 00007 deny ip from 127.0.0.0/8 to any > > > 00011 divert 8668 ip from any to any via ext > > > 21046 queue 8 ip from any to 172.20.1.23 > > > 21047 queue 9 ip from 172.20.1.23 to any > > > 65535 allow ip from any to any > > > > > > bash-2.05b# ipfw pipe list > > > 00001: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > 00002: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > ... > > > q00008: weight 4 pipe 1 50 sl. 1 queues (1 buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > > Pkt/Byte > > > Drp > > > 0 udp dns address/53 172.20.1.195/3007 1032 254524 0 > > 0 > > > 0 > > > q00009: weight 4 pipe 2 50 sl. 1 queues (1 buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > > Pkt/Byte > > > Drp > > > 0 udp 172.20.1.195/68 255.255.255.255/67 589 53330 0 > 0 > > > 0 > > > > > > > > > The thing is that: > > > -it looks that datas are going through the corrects queues, > > > -each queue is correctly linked to a pipe > > > -there is not accounting on both pipes > > > -only dns packets are shown by this command. > > > > > > > > > My wonders are: > > > -How can I be sure that my queues are correctly linked to the pipes? > > > -Why don't I have accounting on the pipes? > > > -Why don't I get other than dns packet accounting? > > > > > > Sorry for the english > > > > > > Thanks for the answer > > > > > > Cheers > > > > > > Alex > > > > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 21:45:44 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7461C16A420 for ; Sun, 20 Nov 2005 21:45:44 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFC6A43D55 for ; Sun, 20 Nov 2005 21:45:43 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (ap6.matik.com.br [200.152.83.36] (may be forged)) by msrv.matik.com.br (8.13.3/8.13.1) with ESMTP id jAKLjh6g027890 for ; Sun, 20 Nov 2005 19:45:44 -0200 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Sun, 20 Nov 2005 19:40:01 -0200 User-Agent: KMail/1.8.3 References: <20051120101001.A45777@xorpc.icir.org> <20051120132556.A47536@xorpc.icir.org> In-Reply-To: <20051120132556.A47536@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200511201940.01686.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 21:45:44 -0000 On Sunday 20 November 2005 19:25, Luigi Rizzo wrote: > On Sun, Nov 20, 2005 at 07:16:40PM +0100, Alexandre DELAY wrote: > > Interresting. I didn't find anythong about that. > > Where can I learn more about this "priorities"? > > well, dummynet does not du priorities but weights. > lookup google for "WFQ" > or read the ipfw manpage. > ehh, I guess he wanted to know why icmp echo is beeing queued because you s= aid=20 it before Jo=E3o > cheers > luigi > > > Alex > > > > > > -----Message d'origine----- > > De : Luigi Rizzo [mailto:rizzo@icir.org] > > Envoye : dimanche 20 novembre 2005 19:10 > > A : Alexandre DELAY > > Cc : freebsd-ipfw@freebsd.org > > Objet : Re: strange dummynet WFQ problem > > > > On Sun, Nov 20, 2005 at 07:04:47PM +0100, Alexandre DELAY wrote: > > > It effectively works well, but I still have a problem: > > > > > > When I use my bandwidth (download a huge file) and I start a ping at > > > the same time, latency grows from 15ms up to 300ms. > > > > it is normal because the ping packets are queued behind > > the other traffic. > > > > luigi > > > > > Again my conf: > > > > 00005 allow ip from any to any via lo0 > > > > 00006 deny ip from any to 127.0.0.0/8 > > > > 00007 deny ip from 127.0.0.0/8 to any > > > > 00011 divert 8668 ip from any to any via ext > > > > 21046 queue 8 ip from any to 172.20.1.23 in via ext > > > > 21047 queue 9 ip from 172.20.1.23 to any in via int > > > > 65535 allow ip from any to any > > > > > > Cheers > > > > > > Alex > > > > > > > > > -----Message d'origine----- > > > De : owner-freebsd-ipfw@freebsd.org > > > [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Luigi Rizzo > > > Envoye : mercredi 29 juin 2005 18:33 > > > A : Alexandre D. > > > Cc : freebsd-ipfw@freebsd.org > > > Objet : Re: strange dummynet WFQ problem > > > > > > > > > hi, > > > when a pipe or queue has a mask of all 0's it only shows the addresses > > > of the first packet that matched, so you don't have to worry about > > > that. Also, if queues are linked to the pipe, the accounting is done = on > > > the queues and not on the pipe. > > > > > > cheers > > > luigi > > > > > > On Wed, Jun 29, 2005 at 06:27:48PM +0200, Alexandre D. wrote: > > > > Hi guys > > > > > > > > I have a strange problem. > > > > > > > > here is a simple sample my conf (hic!): > > > > > > > > # ipfw list > > > > 00005 allow ip from any to any via lo0 > > > > 00006 deny ip from any to 127.0.0.0/8 > > > > 00007 deny ip from 127.0.0.0/8 to any > > > > 00011 divert 8668 ip from any to any via ext > > > > 21046 queue 8 ip from any to 172.20.1.23 > > > > 21047 queue 9 ip from 172.20.1.23 to any > > > > 65535 allow ip from any to any > > > > > > > > bash-2.05b# ipfw pipe list > > > > 00001: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > > 00002: 1.024 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > > ... > > > > q00008: weight 4 pipe 1 50 sl. 1 queues (1 buckets) droptail > > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > > > > > > Pkt/Byte > > > > > > > Drp > > > > 0 udp dns address/53 172.20.1.195/3007 1032 254524= =20 > > > > 0 > > > > > > 0 > > > > > > > 0 > > > > q00009: weight 4 pipe 2 50 sl. 1 queues (1 buckets) droptail > > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > > > > > > Pkt/Byte > > > > > > > Drp > > > > 0 udp 172.20.1.195/68 255.255.255.255/67 589 53330 = 0 > > > > 0 > > > > > > 0 > > > > > > > > > > > > The thing is that: > > > > -it looks that datas are going through the corrects queues, > > > > -each queue is correctly linked to a pipe > > > > -there is not accounting on both pipes > > > > -only dns packets are shown by this command. > > > > > > > > > > > > My wonders are: > > > > -How can I be sure that my queues are correctly linked to the pipes? > > > > -Why don't I have accounting on the pipes? > > > > -Why don't I get other than dns packet accounting? > > > > > > > > Sorry for the english > > > > > > > > Thanks for the answer > > > > > > > > Cheers > > > > > > > > Alex > > > > > > > > _______________________________________________ > > > > freebsd-ipfw@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > To unsubscribe, send any mail to > > > > "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.or= g" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada > segura. Service fornecido pelo Datacenter Matik=20 > https://datacenter.matik.com.br =2D-=20 Atenciosamente Infomatik Internet Technology (18)3551.8155 (18)8112.7007 http://info.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 21:56:01 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78AC016A41F for ; Sun, 20 Nov 2005 21:56:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3878043D45 for ; Sun, 20 Nov 2005 21:56:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id jAKLu0cv047901; Sun, 20 Nov 2005 13:56:00 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id jAKLu0jX047900; Sun, 20 Nov 2005 13:56:00 -0800 (PST) (envelope-from rizzo) Date: Sun, 20 Nov 2005 13:56:00 -0800 From: Luigi Rizzo To: AT Matik Message-ID: <20051120135600.C47585@xorpc.icir.org> References: <20051120101001.A45777@xorpc.icir.org> <20051120132556.A47536@xorpc.icir.org> <200511201940.01686.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200511201940.01686.asstec@matik.com.br>; from asstec@matik.com.br on Sun, Nov 20, 2005 at 07:40:01PM -0200 Cc: freebsd-ipfw@freebsd.org Subject: Re: strange dummynet WFQ problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 21:56:01 -0000 On Sun, Nov 20, 2005 at 07:40:01PM -0200, AT Matik wrote: > On Sunday 20 November 2005 19:25, Luigi Rizzo wrote: > > On Sun, Nov 20, 2005 at 07:16:40PM +0100, Alexandre DELAY wrote: > > > Interresting. I didn't find anythong about that. > > > Where can I learn more about this "priorities"? > > > > well, dummynet does not du priorities but weights. > > lookup google for "WFQ" > > or read the ipfw manpage. > > > > ehh, I guess he wanted to know why icmp echo is beeing queued because you said > it before because that's what is written in his ruleset. (at list i suppose - he did not sent "ipfw queue show" output but from his previous example he did not put masks on the queues). From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 20 23:30:39 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE7DA16A41F for ; Sun, 20 Nov 2005 23:30:39 +0000 (GMT) (envelope-from vini@fugspbr.org) Received: from orange.unixpac.com.au (orange.unixpac.com.au [203.3.121.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5516A43D46 for ; Sun, 20 Nov 2005 23:30:38 +0000 (GMT) (envelope-from vini@fugspbr.org) Received: from unknown (HELO [192.168.1.124]) ([192.168.1.124]) by orange.unixpac.com.au with ESMTP; 21 Nov 2005 10:30:22 +1100 X-IronPort-AV: i="3.97,355,1125842400"; d="scan'208"; a="46045:sNHT165319668" Message-ID: <4381071B.1090205@fugspbr.org> Date: Mon, 21 Nov 2005 10:30:35 +1100 From: Vini Engel User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Ipfw and qmail-smtpd, connections getting stuck - FIN_WAIT_1 FIN_WAIT_2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 23:30:40 -0000 Hi guys, I was wondering if anyone here has had anything similar with ipfw and qmail-smtpd. I have a FreeBSD 5.3 and 5.4 box running qmail and often I can see many connections with FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, CLOSING. On this box I have some ipfw limit rules to allow incoming connections and normal keep-state rules to allow outgoing connections. In the beginning I thought it was being caused by the sysctl net.inet.ip.fw.dyn_keepalive. I then disabled the keep-alive, it seems to have helped but still there are many connections stuck at the FIN stage. Does anybody have any tips on this? Thanks a lot Vini From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 21 04:46:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEBA616A41F; Mon, 21 Nov 2005 04:46:10 +0000 (GMT) (envelope-from julian@elischer.org) Received: from delight.idiom.com (outbound.idiom.com [216.240.47.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id A835B43D4C; Mon, 21 Nov 2005 04:46:10 +0000 (GMT) (envelope-from julian@elischer.org) Received: from idiom.com (idiom.com [216.240.32.1]) by delight.idiom.com (Postfix) with ESMTP id EB0512288AA; Sun, 20 Nov 2005 20:46:09 -0800 (PST) Received: from [192.168.2.4] (home.elischer.org [216.240.48.38]) by idiom.com (8.12.11/8.12.11) with ESMTP id jAL4k7Yx058859; Sun, 20 Nov 2005 20:46:09 -0800 (PST) (envelope-from julian@elischer.org) Message-ID: <4381510D.1070402@elischer.org> Date: Sun, 20 Nov 2005 20:46:05 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051120 X-Accept-Language: en, hu MIME-Version: 1.0 To: =?ISO-8859-9?Q?=D6zkan_KIRIK?= References: <438091EA.3040203@mersin.edu.tr> In-Reply-To: <438091EA.3040203@mersin.edu.tr> Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 6.0 - ipfw fwd with bridge mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 04:46:11 -0000 Özkan KIRIK wrote: > Hi, > > i am trying to forward packets via ipfw in bridge mode. > is there any patch for 6.0-Release? > > thanks for your interests, > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" there are two patches to do this with 4.x one by luigi and one by a company I know of. neither is exactly correct for 6.0 The simplest one just "accepts" the packet as local which means that it gets run through ipfw again in the IP stack at which time it is REALLY forwarded. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 21 11:02:41 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FA6816A41F for ; Mon, 21 Nov 2005 11:02:41 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E88A43D64 for ; Mon, 21 Nov 2005 11:02:34 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jALB2YLE090075 for ; Mon, 21 Nov 2005 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jALB2Xl4090069 for freebsd-ipfw@freebsd.org; Mon, 21 Nov 2005 11:02:33 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 21 Nov 2005 11:02:33 GMT Message-Id: <200511211102.jALB2Xl4090069@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 11:02:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2003/12/11] kern/60154 ipfw [ipfw] ipfw core (crash) o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 17 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 22 15:00:33 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E41DA16A47C for ; Tue, 22 Nov 2005 15:00:33 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 723A443DA8 for ; Tue, 22 Nov 2005 15:00:19 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 86994 invoked by uid 0); 22 Nov 2005 13:00:12 -0200 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4633. spamassassin: 2.64. Clear:RC:1(201.17.173.115):. Processed in 0.462423 secs); 22 Nov 2005 15:00:12 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.173.115) by capeta.freebsdbrasil.com.br with SMTP; 22 Nov 2005 13:00:11 -0200 Message-ID: <43833270.8060502@freebsdbrasil.com.br> Date: Tue, 22 Nov 2005 13:00:00 -0200 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Features enhacement: AND-block and "me" expression on a table... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 15:00:34 -0000 Hello ipfw developers, Would it be hard to make ipfw processing "and" blocks, just like "or" blocks? I mean, in the following situation: ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 } to any dst-port 22 out via fxp0 setup keep-state On my understanding, this rule will *always* match, because the OR block makes the source always be true, because it *won't* be a orign OR won't the other be. What if we could have: ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 } to any dst-port 22 out via fxp0 setup keep-state ? One more thing, I have just noticed that tables do not accept the "me" expression. Any chance to have ipfw deal with "me" in a table? Also, dummynet does not evaluate table well. Only the first address is matched against a dummynet rule. It would be great if tables could be used with dummynet and all the mask specifiers... Those are only some thoughts... =) -- Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 23 19:36:00 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E66B016A421 for ; Wed, 23 Nov 2005 19:36:00 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id D122643D5C for ; Wed, 23 Nov 2005 19:35:54 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp6-g19.free.fr (Postfix) with ESMTP id F0FCD96A4 for ; Wed, 23 Nov 2005 20:35:51 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jANJZpYb018108 for ; Wed, 23 Nov 2005 20:35:51 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: Date: Wed, 23 Nov 2005 20:36:09 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 19:36:01 -0000 hi guys, I am looking for an efficient way to filter different protocols, such as edonkey or BEEP. For the moment, I think that ipfw doesn't support it. Don't you think that it would be a nice thing to be able to include such "filters" from, for example, ethereal? Ethereal support more than 34k different protocols. It woul be nice to be able to choose from those filters and to apply some rules according to those filters. Do you know a way to do this? Cheers Alex From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 23 22:42:11 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AB6916A41F; Wed, 23 Nov 2005 22:42:11 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8052243D6E; Wed, 23 Nov 2005 22:42:10 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jANMgADf024747; Wed, 23 Nov 2005 22:42:10 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jANMgAMs024743; Wed, 23 Nov 2005 22:42:10 GMT (envelope-from linimon) Date: Wed, 23 Nov 2005 22:42:10 GMT From: Mark Linimon Message-Id: <200511232242.jANMgAMs024743@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/89472: [ipfw] ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 22:42:11 -0000 Synopsis: [ipfw] ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Wed Nov 23 22:41:56 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=89472 From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 24 23:14:02 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4816F16A960 for ; Thu, 24 Nov 2005 23:14:00 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from zeweb.mindstep.com (zeweb.mindstep.com [209.161.205.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5F3843F52 for ; Thu, 24 Nov 2005 22:00:59 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from localhost (localhost.local.mindstep.com [127.0.0.1]) by hottub.local.mindstep.com (Postfix) with ESMTP id 988295F75 for ; Thu, 24 Nov 2005 17:00:58 -0500 (EST) (envelope-from patrick.bihan-faou@netzuno.com) Received: from hottub.local.mindstep.com ([127.0.0.1]) by localhost (hottub.local.mindstep.com [127.0.0.1]) (amavisd-new, port port 10024) with LMTP id 88559-02-4 for ; Thu, 24 Nov 2005 17:00:58 -0500 (EST) Received: from [192.168.50.146] (d80-170-92-212.cust.tele2.fr [80.170.92.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hottub.local.mindstep.com (Postfix) with ESMTP id 297285F76 for ; Thu, 24 Nov 2005 17:00:57 -0500 (EST) (envelope-from patrick.bihan-faou@netzuno.com) Message-ID: <43863812.2040602@netzuno.com> Date: Thu, 24 Nov 2005 23:00:50 +0100 From: Patrick Bihan-Faou Organization: netZuno Technologies User-Agent: Thunderbird 1.4.1 (Windows/20051006) MIME-Version: 1.0 To: ipfw@freebsd.org References: <43833270.8060502@freebsdbrasil.com.br> In-Reply-To: <43833270.8060502@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new on ZunoBox at hottub.local.mindstep.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on hottub.local.mindstep.com Cc: Subject: Re: Features enhacement: AND-block and "me" expression on a table... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 23:14:02 -0000 Hi, Patrick Tracanelli wrote: > > Hello ipfw developers, > > Would it be hard to make ipfw processing "and" blocks, just like "or" > blocks? I mean, in the following situation: > > ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 > } to any dst-port 22 out via fxp0 setup keep-state > > On my understanding, this rule will *always* match, because the OR > block makes the source always be true, because it *won't* be a orign > OR won't the other be. What if we could have: > > ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 > } to any dst-port 22 out via fxp0 setup keep-state > > ? > I have a set of patches that I am playing with that allow the negation of an entire or block i.e.: ipfw add deny log tcp from not { 1.1.1.1 or 2.2.2.2 } to any So far my tests are good, and I can use this syntax anywhere an or-block can be implemented. > One more thing, I have just noticed that tables do not accept the "me" > expression. Any chance to have ipfw deal with "me" in a table? > Looking at the code this is really not as easy as it sounds. You are probably better off using something like ipfw count ip from { table(1) or me } to any in such situations. Also I have noticed that it is not possible to add the 255.255.255.255 address to a table either. I might mae these patches available at some point, time permiting. Patrick. From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 26 20:19:17 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFF4716A41F; Sat, 26 Nov 2005 20:19:17 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from ameno.mahoroba.org (gw4.mahoroba.org [218.45.22.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A4B43D68; Sat, 26 Nov 2005 20:19:16 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from kasuga.mahoroba.org (IDENT:iKSYrVCGnnth1RfpNVoie6MRp+k4bY5OGAx35rEQd5njD4G4EN+vRUo+4wdF1lUL@kasuga.mahoroba.org [IPv6:3ffe:501:185b:8010:20b:97ff:fe2e:b521]) (user=ume mech=CRAM-MD5 bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6 id jAQKJ1Zf089507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 27 Nov 2005 05:19:02 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 27 Nov 2005 05:19:01 +0900 Message-ID: From: Hajimu UMEMOTO To: Gael Roualland In-Reply-To: <200511232143.jANLh7x3022902@jerry.priv> References: <200511232143.jANLh7x3022902@jerry.priv> User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-freebsd6.0) MULE/5.0 (SAKAKI) X-Operating-System: FreeBSD 6.0-STABLE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (ameno.mahoroba.org [IPv6:3ffe:501:185b:8010::1]); Sun, 27 Nov 2005 05:19:02 +0900 (JST) X-Virus-Scanned: by amavisd-new X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ameno.mahoroba.org Cc: freebsd-ipfw@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 20:19:18 -0000 Hi, >>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET) >>>>> Gael Roualland said: gael> Hum, I didn't notice the "ipv6" string was handled a bit differently gael> than the numeric proto number in ipfw. gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does gael> filter it that way, opening a lot more than just protocol 41... Umm, 41 is treated as ipv6, internally. With following patch, allow ip from a.b.c.d to me proto 41 should work for workaround. However, it is still incomplete, and `ipfw show' shows allow ip from any to any proto ipv6 Apart from this limitation, it seems working to me here. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005 @@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = pe->p_proto; else return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) + if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 && + strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0) fill_cmd(cmd, O_PROTO, 0, *proto); return cmd; Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 26 20:20:21 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FDCE16A41F for ; Sat, 26 Nov 2005 20:20:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE0E243DAD for ; Sat, 26 Nov 2005 20:20:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAQKK6Iw054742 for ; Sat, 26 Nov 2005 20:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAQKK6rF054741; Sat, 26 Nov 2005 20:20:06 GMT (envelope-from gnats) Date: Sat, 26 Nov 2005 20:20:06 GMT Message-Id: <200511262020.jAQKK6rF054741@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Hajimu UMEMOTO Cc: Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hajimu UMEMOTO List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 20:20:21 -0000 The following reply was made to PR kern/89472; it has been noted by GNATS. From: Hajimu UMEMOTO To: Gael Roualland Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Date: Sun, 27 Nov 2005 05:19:01 +0900 Hi, >>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET) >>>>> Gael Roualland said: gael> Hum, I didn't notice the "ipv6" string was handled a bit differently gael> than the numeric proto number in ipfw. gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does gael> filter it that way, opening a lot more than just protocol 41... Umm, 41 is treated as ipv6, internally. With following patch, allow ip from a.b.c.d to me proto 41 should work for workaround. However, it is still incomplete, and `ipfw show' shows allow ip from any to any proto ipv6 Apart from this limitation, it seems working to me here. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005 @@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = pe->p_proto; else return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) + if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 && + strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0) fill_cmd(cmd, O_PROTO, 0, *proto); return cmd; Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/